By October 2024, all companies must comply with the NIS2 guideline. Does it also relate to the security of your data? Chances are, because the scope of NIS2 is a lot bigger than its predecessor.
In this blog we explain what the directive entails and how you comply with it. In addition, we show which parts of your organization are affected by the new guideline.
What is the NIS guideline about?
The NIS2 guideline makes companies more resilient to cyber security crime. It increases requirements for IT infrastructure and Operational Technology (OT) to keep cybercrime out. In addition, it increases the responsibility of companies for providing reports in the event of incidents.
It also regulates stricter enforcement by governments and harmonization of the rules for the entire EU. As an organization you have less to do with that – if all goes well.
It mainly depends on the requirements for your organization. These are heavier, relate to more areas and apply to more sectors.
Who does the NIS2 guideline apply to?
The predecessor of the NIS2 directive mainly talked about essential infrastructure. Think of energy companies, governments and strategically indispensable companies. In addition, companies could also fall under the rules of NIS due to their size.
Download the NIS2 White paper
and be prepared for the new directive.
Time has not stood still. We also see that smaller organizations are attacked more often. Until recently, larger companies were mainly attacked by hackers. Logically. After all, there is a lot to achieve with 1 successful attempt at intrusion.
Those were costly lessons for these companies and they learned from them by making their IT systems and OT more secure. As a result, the focus of hackers has shifted to medium-sized and smaller companies.
There is another reason for the wider scope of NIS2. Just think what happens if you have your affairs in order, but your supplier is affected. Suppose that supplier takes care of the shipment of your products. Then the address details of your customers are on the street.
The stricter rules are also necessary due to the far-reaching connectivity and solidarity in the Netherlands. Systems, servers and data centers are interconnected, which brings many benefits, but also the risk of infection if things go wrong.
The NIS2 distinguishes between 2 categories of companies: essential companies and important companies. The essentials are further subdivided into critical and very critical sectors.
Very critical sectors according to Annex I of the directive
- Energy companies
- Water supply companies
- Management of ICT services
- Space travel, etc
Other critical sectors in Annex II
- Critical sectors with companies for eg
- food preparation and distribution
- processing of waste
- processing of waste water
- postal and courier services.
The requirements for these companies are the same, but supervision and sanctions are more severe for critical sectors.
Don't fall into one of the sectors? Is the company smaller? Then you can still have to deal with NIS2, especially if ICT and IT services play a major role in the workplace.
NIS2 in practice
The directive revolves around the duty of care, duty to report and supervision. This means that your company must be resilient and adequately protected, that this can be demonstrated with documentation and that companies that help you with it are certified to offer these services. An incident must be reported within 24 hours if it has disrupted continuity, and in other cases this is 72 hours.
After an incident, government services, such as the National Cyber Security Center, will act. In any case, you will have to prepare a report of the events within a month.
Do I have to comply with the NIS2 guideline?
The answer is: the chances are high. It has now become a directive with an obligation of result, in contrast to the previous directive, which only had an obligation of means. In other areas, the non-commitment is also gone. Particular attention is required for managerial positions.
Is that already necessary?
No, you do not have to comply with the guideline yet. But yes, you have to get started now. After October 2024 everything should be in order and that is sooner than you think. And the requirements are broadly formulated and stricter, so there is homework. The European directive is currently being incorporated into national legislation. The translation into Dutch law is therefore now in progress. Consultation with companies will start in the autumn.
What does NIS2 say about an incident?
Safety in the field of Cyber Security is of national importance. And a cyber attack can have consequences for society as a whole. Partly for this reason, bAccording to NIS2, directors of affected companies are also held jointly and severally liable for errors or lax policies. In any case, the fines have been increased and can run into the millions. Or a few percent of the annual profit. So you have something to explain if things go wrong.
With this knowledge in mind, it will be clear to you by now. Doing nothing is not an option.
What should I do now?
Need to get started with NIS2? Aumatics gives you the answer to that question. In addition, we can use a NIS2 quick scan to indicate where you need to get started with the security of IT (and OT) and in what way. Take the first steps with the Quick Scan